Friday, December 17, 2010

Based on current advice, HHS rule-makers can have their pick of three possible paths to take on patient privacy and consent.

One path was laid out this month by the Federal Trade Commission in a report on privacy involving commercial personal health record systems. The FTC calls for a standard of protection that defines privacy as consent.

In drafting its recommendations, the FTC looked at the Fair Information Practices Principles, or FIPPs, developed by the Department of Health Education and Welfare in 1973. One of the five FIPPs says: “There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.”

The FIPPs have been one of America's most welcome exports, forming the basis for privacy policies (PDF) in Canada and Europe.

A similar path was cleared for HHS by the Commerce Department in its report on commercial data privacy released Thursday. It called for a privacy policy relying on self-regulation and voluntary compliance by “stakeholders” such as the Direct Marketing Association, Network Advertising Initiative, Financial Services Forum, Intel, Google and Microsoft. The Commerce Department suggests these guidelines might be based on “revitalized” FIPPs that would “emphasize substantive privacy protection rather than simply creating procedural hurdles.”

And the department recommended these self-regulators “promote informed consent.”

Finally, last week, the President's Council of Advisors on Science and Technology said data-tagging technology should be used to enable patients' consent and control over their information.

All three bodies recommended personal control and consent. But if HHS decides to follow their advice, it will have to do some backtracking.

That's because in 2002, HHS rule-makers scrapped a patient's right of consent that had been part of an earlier privacy rule. They replaced consent with “regulatory permission” for the movement of a patient's medical records without consent for a vast array of uses. HHS has been stumbling over its pro-privacy rhetoric ever since.

Yet the HHS framework never mentions consent and goes on to define privacy, not as a right, but merely a patient's “interest” in controlling the disclosure of his healthcare information. A workgroup of the federally chartered Health Information Technology Policy Committee has been drawing fire from industry quarters for having the temerity to try to re-introduce the concept of patient consent—albeit in a very limited form—in its recommendations to the government.

First the Federation of American Hospitals and then Kevin Nicholson, the vice president of government affairs for the National Association of Chain Drug Stores, expressed displeasure at the tiger team's direction.

HHS rule-makers soon have to update the language on enforcement, breach notification and the final updates to the HIPAA privacy rule in the American Recovery and Reinvestment Act of 2009.

Monday, December 13, 2010

HOW far does consumer privacy protection lag behind data-collection systems, those advanced technologies that media companies use to gather, share and profit from our personal information?

Too far, according to two privacy advocates.

“Solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress,” the privacy experts wrote in the Harvard Law Review. “In this, as in other branches of commerce, the supply creates demand,” they added; and that demand, they noted, ends up broadcasting our private matters in public spheres.

Sound familiar?

The review article, written in 1890 by the young lawyers Samuel D. Warren and Louis D. Brandeis, concerned the spread of that era’s viral technology: snapshot photography. Newspaper photographers, the lawyers wrote, were feeding an “unseemly gossip” industry by taking and publishing candid shots of people without their consent.

Before the advent of the camera, explains Jon Leibowitz, the chairman of the Federal Trade Commission, newspaper photographers would have had difficulty carting heavy daguerreotype equipment and using it to peer over people’s back garden fences.

“But once you went to a real camera,” Mr. Leibowitz said in an interview last week, “that could easily be done.”

As the adage goes: Everything old is new again.

On the one hand, consumers often benefit from newfangled gizmos — be they cameras, tape recorders or cellphones. On the other hand, the widespread adoption of technology has often left legislators and regulators racing to play catch up.

The F.T.C., for instance, just published a report in which agency experts concluded that data-collection techniques on the Web had outdistanced user privacy control. So it was only natural that Mr. Leibowitz looked to tradition and invoked the 19th-century law review article, which essentially laid the legal foundations for protecting Americans’ privacy rights.

Mr. Warren and Mr. Brandeis wrote, for example, that privacy, an intangible right, was as important as more tangible common law rights, like the ownership of private property. People have the right, they wrote, to control dissemination of their personal thoughts or images. People also have “the right to be let alone.”

In a similar fashion, the F.T.C.’s report recommends that Internet and mobile app users receive better control over who sees, collects and shares information about their electronic behavior — like, say, the Web sites they peruse or the terms they plug into search engines. Indeed, the commission proposed a “do not track” mechanism that would allow consumers to opt out of “behavioral advertising,” the kind of marketing that tailors ads to a consumer’s personal track record.

This is not the first time since snapshot photography that new technology has inspired legal experts to rethink privacy protections.

As an example, Ms. Rich cited the 1960s, when deeper credit reporting allowed companies to use advanced database technology to collect consumers’ financial information. Once legislators began to understand how such databases could affect people’s ability to obtain mortgages, housing and even jobs, she said, Congress enacted the Fair Credit Reporting Act. The 1970 law allowed consumers to retrieve and correct credit information about themselves. Indeed, privacy regulation is often reactive, says William McGeveran, a privacy scholar at the University of Minnesota Law School.

Take the Video Privacy Protection Act, enacted by Congress in 1988, after a local newspaper in Washington obtained and published the video rental records of Robert Bork, a Supreme Court nominee. The so-called Bork law, one of the country’s strongest privacy statutes, prohibits the disclosure of personally identifiable rental information without consumer consent. “One of the comical attributes of privacy regulation is — a lot of it is responsive to fire alarms,” says Professor McGeveran.

Indeed, over time Congress has increased privacy regulation in different industries, he says. There’s the Health Insurance Portability and Accountability Act, for one, that in 1996 established certain federal protections for personal health information. And the Gramm-Leach-Bliley Act of 1999, which required financial service companies to notify customers about their information policies and allow them to opt out from having their data shared with unaffiliated parties.

“Maybe now it’s online privacy’s turn to have more of a direct regulatory intervention,” Professor McGeveran says.

The trade commission’s report proposes new industry practices to enhance online privacy choices for consumers. For those to take effect, however, either the interactive advertising industry would have to increase self-regulation or Congress would have to enact a law enabling the commission to enforce new rules.

Some industry groups are already stepping up transparency.

In October, the Digital Advertising Alliance, a coalition of trade groups, introduced an “advertising option icon”— a logo that Web sites can display to indicate that they collect consumer data and that they allow people to opt out of behavioral advertising. Next month, some data collection firms in that coalition are introducing the Open Data Partnership, a program that will allow consumers to edit their information profiles on certain sites or opt out of being tracked by participating companies.

Companies “promise they won’t use the data they collect for the purpose of picking the individual ads they are showing you,” he says, “but they don’t actually offer to stop collecting data about you.”

AND there’s another potential problem, Mr. Soghoian says.

Web sites often deposit cookies on consumers’ computers to track online preferences and activities. The F.T.C.’s recommendation for an opt-out mechanism would play on that idea with a privacy cookie, encoded in people’s browsers, that would alert advertising networks to users’ privacy choices.

But a few smaller companies have already moved beyond cookies, Mr. Soghoian says, with a technique called “device fingerprinting.” That advanced technology can follow online behavior — not by using cookies but by tracking signals that are specific to a person’s individual laptop or mobile device.

“That’s not something you can opt out of,” Mr. Soghoian says. “There’s no way to delete my fingerprint because there’s no way for me to delete my phone or my computer.”

Monday, December 6, 2010

An Office of Personnel Management plan to launch a comprehensive database of federal workers' health care records has raised the ire of some privacy advocates, employee unions and consumer groups.

OPM is organizing a research database of insurance claims filed by the eight million workers and dependents enrolled in the Federal Employees Health Benefits Program, as well as participants in two other federally administered programs. The claims data, which will be supplied by the private insurers that participate in the FEHBP, will help OPM figure out ways to lower costs, improve quality and fight fraud, the agency has said.

But critics - which include the American Civil Liberties Union, Consumers Union and the American Federation of Government Employees - argue that the government should avoid setting up a repository of sensitive information that could be vulnerable to privacy breaches. At minimum, they say, OPM should provide more information about how the database, called the Health Claims Data Warehouse, will work and who will have access to it.

"We're talking about a government database with health diagnoses, payment information, and procedures," said Harley Geiger, policy counsel at the Center for Democracy and Technology, a public interest firm based in Washington. "Enrollees are almost certainly unaware that the government plans to compile all that into one big federal database."

OPM has asserted that it has "a strong track record" of protecting the privacy of sensitive employee information. It also extended, until Dec. 15, the comment period for the project, and said it's considering putting out "a more detailed explanation of how the records in this system will be protected and secured."

The database, approved as part of the new health care law, will collect health-services data from about 230 private health plan options offered to federal workers through the FEHBP. Information also will be compiled from enrollees in two other programs created by the health law. One involves the high-risk pools set up by the Department of Health and Human Services for people who can't get insurance because of medical problems. The other involves private "multi-state plan options" for individuals and small businesses. These plans, to be administered by OPM, will be available on state-based exchanges beginning in 2014. The database will be the largest government aggregation of private health plan data compiled in the United States, analysts say.

Once the OPM database is functioning, the agency plans to gather monthly updates on everything from medical diagnoses to surgical procedures to prescription-drug use. In theory, the database will allow OPM to scrutinize a specific group of enrollees - those with diabetes, for example - to identify the most effective treatments.

The data, according to an Oct. 5 Federal Register notice by OPM, will be used by agency analysts as well as some other federal agencies, to discern costs and trends. Certain outside researchers also could get access to the material, almost always in an aggregated form, according to a senior OPM official involved in the project who asked not to be named given that the details for the database remain under review.

Researchers say the database could be helpful if constructed and used properly; it could, for example, lead to wider adoption of "best practices" as well as lower costs, said Kevin O'Brien, a director of the California-based data analytics firm Berkeley Research Group.

Even modest cost reductions could produce substantial savings for the government and workers. OPM Director John Berry, in a report on the agency's 2009 performance, said reducing annual premium growth by 0.1 percent for three consecutive years would save the FEHBP $1.25 billion over 10 years. The agency, on average, picks up 70 percent of the cost of premiums; workers pay the rest.

But privacy advocates aren't assuaged. They note that the data collected by OPM will include names, birthdates and other personal identifying information. In addition, they say it's unnecessary for OPM to set up its own database, since insurers already store health information.

"One of the big concerns here is the duplication," said Chris Calabrese, legislative counsel to the ACLU. Calabrese would rather see OPM use a "pointer system" to locate the information it needs. "Instead of having all the information in one database, if you want info on Patient 'X' â€¦ go directly to the record source," he said.

OPM officials counter that the privacy concerns are overblown. The senior OPM official said researchers won't be permitted to see personal identifiers. The agency had said earlier that the health data could be subject to the "routine uses" that apply to most federal databases under the Privacy Act of 1974. That means the records could be pulled by law enforcement officials in a criminal investigation or used in a congressional inquiry. Now, the official said, the agency is considering narrowing the list of agencies that would be granted special access to its records. Within OPM, the data will only be made available to analysts with the proper clearances, the official said.

In addition, the OPM official said asking insurance companies to independently analyze their own data would defeat a key purpose of the database - which is to compare health plans. For example, one health plan might charge more than another for prescription drug programs and the data might help OPM decide whether to drop one pharmacy benefits manager in favor of another. About 30 percent of FEHBP's spending goes for prescription drugs.

OPM's plans aren't unprecedented - TRICARE, the military's health care program, has data on its participants, and the federal Centers for Medicare and Medicaid Services keeps information on Medicare beneficiaries. But TRICARE, Medicare and Medicaid are public health programs; OPM's database will be collecting health information from private plans. The California Public Employees' Retirement System maintains a database on the private health plans it manages. OPM's project would be similar.

Kaiser Health News (www.kaiserhealthnews.org) is an editorially independent news service of the Kaiser Family Foundation, a nonpartisan health care policy organization that isn't affiliated with Kaiser Permanente.

"The report appears to address the key themes that [the commission] previously had indicated would be covered,” said Hunton & Williams partner Lisa Sotto. “Industry leaders undoubtedly will pay close attention to the FTC's pronouncements.”

One of the major themes of the 122-page report is the need to reduce the burden on consumers by simplifying choice, embracing privacy-by-design principles and making privacy policies more consistent across the board.

“We need to greatly simplify consumer choice,” FTC consumer protection director David Vladeck said while previewing the report at a Consumer Watchdog event in Washington, DC, this morning.

Morrison & Foerster partner D. Reed Freeman, CIPP, commented on the breadth of the report, noting that it applies to online and offline data and encourages companies to adopt the full panoply of Fair Information Practice Principles, among other proposals. Freeman says it will be important to determine to what extent the report’s recommendations are enforceable by Section 5 of the FTC Act.

Freeman also noted that the commission left open the issue of whether, when and under what circumstances consent should be opt in or opt out, as well as whether or when opt in would be appropriate for practices involving sensitive data.

There has been much speculation about the commission’s position on the viability of a do-not-track mechanism, designed to let consumers opt out of having their browsing activities monitored. In its report, the FTC supports the idea of such a system, but does not propose to develop or implement one of its own.

"The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted ads," the report says. "Commission staff supports this approach, sometimes referred to as 'Do Not Track.'"

In this regard, “The commission…wisely left the door open to either legislative or self-regulatory solutions,” said Jules Polonetsky, CIPP, co-chair of the Future of Privacy Forum. “The industry should act quickly to explore and implement a do-not-track mechanism that both supports responsible advertising practices and enhances consumer controls and choices.”

On a call with members of the media this afternoon, FTC Chairman Jon Leibowitz addressed whether, given the scope of the report, the FTC is moving towards a definition of “consumer” data rather than “personal” data and whether this is a broadening of the FTC’s overall approach to consumer privacy. Leibowitz said that the commission’s approach today is in some ways consistent with what it has done in previous decades, but personal data can be synthesized differently today. “You can take information that’s not technically a Social Security number or name” and find out who that person is. “We’re not looking for more authority,” Leibowitz said. “This is only advice to businesses and advice to consumers.”

The staff report also addresses increased transparency and outlines the commission’s desire for better privacy policies and systems to enhance notice and choice and outlines the commission’s hopes to improve “consumers’ ability to compare data practices across companies, thereby encouraging competition on privacy issues,” and it calls for strong protections surrounding sensitive information such as healthcare and financial data, children’s information and geo-location data. The commission is exploring what other areas might need to be treated as sensitive.

At the morning forum, Vladeck provided an indication of how the FTC will deal with the disregard of consumers’ privacy wishes.

“Consumer choices, once exercised, must be respected,” Vladeck said, adding that the commission “will not tolerate a technological arms race” aimed at subverting those choices. The FTC will accept comments on its proposals through January 31, 2011. The report includes a number of specific questions in areas where the commission seeks feedback. --------------------------------------------------Stefaan G. VerhulstChief of ResearchMarkle Foundation10 Rockefeller Plaza, Floor 16New York, NY 10020-1903Tel. 212 713 7630Cell 646 573 1361http://www.markle.org